Innovate anywhere, anytime Your cloud-based dev studio.

Django-REST Framework Object Level Permissions and User Level Permissions


Let us consider the scenario of Authors, Books, and Readers.

Authors are only allowed to write books.

Readers are only allowed to read the Books.

from django.utils.translation import ugettext_lazy as _
from django.contrib.auth.models import AbstractBaseUser, PermissionsMixin
class User(AbstractBaseUser, PermissionsMixin):
    USER_TYPES = (
       ("Author", "Author"),
       ("Reader", "Reader"),
       ("Publisher", "Publisher")
    username = models.CharField(max_length=100, unique=True)
    first_name = models.CharField(_("first name"), max_length=30, blank=True, null=True)
    last_name = models.CharField(_("last name"), max_length=30, blank=True, null=True)
    email = models.EmailField(_("email address"), unique=True)
    is_staff = models.BooleanField(_("staff status"), default=False)
    is_active = models.BooleanField(_("active status"), default=True)
    user_type = models.CharField(choices=USER_TYPES)
    def __str__(self):

class Book(models.Model):
      ('YES', 'YES'),
      ('NO', 'NO')
    name = models.CharField(max_length=300)
    pages = models.IntegerField()
    price = models.DecimalField(max_digits=10, decimal_places=2)
    rating = models.FloatField()
    is_allowed_to_read = models.CharField(choices=READ_OPTIONS)

    def __str__(self):

from rest_framework.permissions import BasePermission

class IsAllowedToWrite(BasePermission):
    def has_permission(self, request, view):
        return request.user.user_type == "Author"

class IsAllowedToRead(BasePermission):
    def has_object_permission(self, request, view, obj):
        return obj.is_allowed_to_read == "YES"

from rest_framework import generics
from app.permissions import IsAllowedToWrite, IsAllowedToRead
from app.serializers import WriteBookSerializer, 

class WriteBookView(generics.CreateAPIView):
    serializer_class = WriteBookSerializer
    permission_classes = (IsAllowedToWrite,)

class ReadBookView(generics.RetrieveAPIView):
    serializer_class = ReadBookSerializer
    permission_classes = (IsAllowedToWrite,)

Find our Django REST Framework Development Services

for more details visit rest-framework documentation or source code Github